Fix 2FA/sign-in token sessions being valid after password change (#14802)

If someone tries logging in to an account and is prompted for a 2FA code or sign-in token, even if the account's password or e-mail is updated in the meantime, the session will show the prompt and allow the login process to complete with a valid 2FA code or sign-in token
2020-11-12 23:05:01 +01:00 · 2020-11-12 23:05:01 +01:00 · 8532429af7
commit 8532429af7
parent 9870b175b4
7 changed files with 78 additions and 40 deletions
--- a/app/controllers/concerns/sign_in_token_authentication_concern.rb
+++ b/app/controllers/concerns/sign_in_token_authentication_concern.rb
@ -18,7 +18,9 @@ module SignInTokenAuthenticationConcern
  def authenticate_with_sign_in_token
    user = self.resource = find_user

-    if user_params[:sign_in_token_attempt].present? && session[:attempt_user_id]
+    if user.present? && session[:attempt_user_id].present? && session[:attempt_user_updated_at] != user.updated_at.to_s
+      restart_session
+    elsif user_params.key?(:sign_in_token_attempt) && session[:attempt_user_id]
      authenticate_with_sign_in_token_attempt(user)
    elsif user.present? && user.external_or_valid_password?(user_params[:password])
      prompt_for_sign_in_token(user)
@ -27,7 +29,7 @@ module SignInTokenAuthenticationConcern

  def authenticate_with_sign_in_token_attempt(user)
    if valid_sign_in_token_attempt?(user)
-      session.delete(:attempt_user_id)
+      clear_attempt_from_session
      remember_me(user)
      sign_in(user)
    else
@ -42,10 +44,10 @@ module SignInTokenAuthenticationConcern
      UserMailer.sign_in_token(user, request.remote_ip, request.user_agent, Time.now.utc.to_s).deliver_later!
    end

-    set_locale do
-      session[:attempt_user_id] = user.id
-      @body_classes = 'lighter'
-      render :sign_in_token
-    end
+    set_attempt_session(user)
+
+    @body_classes = 'lighter'
+
+    set_locale { render :sign_in_token }
  end
 end
--- a/app/controllers/concerns/two_factor_authentication_concern.rb
+++ b/app/controllers/concerns/two_factor_authentication_concern.rb
@ -37,9 +37,11 @@ module TwoFactorAuthenticationConcern
  def authenticate_with_two_factor
    user = self.resource = find_user

-    if user.webauthn_enabled? && user_params[:credential].present? && session[:attempt_user_id]
+    if user.present? && session[:attempt_user_id].present? && session[:attempt_user_updated_at] != user.updated_at.to_s
+      restart_session
+    elsif user.webauthn_enabled? && user_params.key?(:credential) && session[:attempt_user_id]
      authenticate_with_two_factor_via_webauthn(user)
-    elsif user_params[:otp_attempt].present? && session[:attempt_user_id]
+    elsif user_params.key?(:otp_attempt) && session[:attempt_user_id]
      authenticate_with_two_factor_via_otp(user)
    elsif user.present? && user.external_or_valid_password?(user_params[:password])
      prompt_for_two_factor(user)
@ -50,7 +52,7 @@ module TwoFactorAuthenticationConcern
    webauthn_credential = WebAuthn::Credential.from_get(user_params[:credential])

    if valid_webauthn_credential?(user, webauthn_credential)
-      session.delete(:attempt_user_id)
+      clear_attempt_from_session
      remember_me(user)
      sign_in(user)
      render json: { redirect_path: root_path }, status: :ok
@ -61,7 +63,7 @@ module TwoFactorAuthenticationConcern

  def authenticate_with_two_factor_via_otp(user)
    if valid_otp_attempt?(user)
-      session.delete(:attempt_user_id)
+      clear_attempt_from_session
      remember_me(user)
      sign_in(user)
    else
@ -71,16 +73,18 @@ module TwoFactorAuthenticationConcern
  end

  def prompt_for_two_factor(user)
-    set_locale do
-      session[:attempt_user_id] = user.id
-      @body_classes = 'lighter'
-      @webauthn_enabled = user.webauthn_enabled?
-      @scheme_type = if user.webauthn_enabled? && user_params[:otp_attempt].blank?
-                       'webauthn'
-                     else
-                       'totp'
-                     end
-      render :two_factor
+    set_attempt_session(user)
+
+    @body_classes     = 'lighter'
+    @webauthn_enabled = user.webauthn_enabled?
+    @scheme_type      = begin
+      if user.webauthn_enabled? && user_params[:otp_attempt].blank?
+        'webauthn'
+      else
+        'totp'
+      end
    end
+
+    set_locale { render :two_factor }
  end
 end
--- a/app/controllers/concerns/user_tracking_concern.rb
+++ b/app/controllers/concerns/user_tracking_concern.rb
@ -6,14 +6,13 @@ module UserTrackingConcern
  UPDATE_SIGN_IN_HOURS = 24

  included do
-    before_action :set_user_activity
+    before_action :update_user_sign_in
  end

  private

-  def set_user_activity
-    return unless user_needs_sign_in_update?
-    current_user.update_tracked_fields!(request)
+  def update_user_sign_in
+    current_user.update_sign_in!(request) if user_needs_sign_in_update?
  end

  def user_needs_sign_in_update?